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Using the International Mobile station Equipment Identity (IMEI) 
Uniform Resource Name (URN) as an Instance ID 


Abstract 


This specification defines how the Uniform Resource Name (URN) 
reserved for the Global System for Mobile Communications Association 
(GSMA) identities and its sub-namespace for the International Mobile 
station Equipment Identity (IMEI) can be used as an instance-id. Its 
purpose is to fulfill the requirements for defining how a specific 
URN needs to be constructed and used in the ’+sip.instance’ Contact 
header field parameter for outbound behavior. 


Status of This Memo 


This document is not an Internet Standards Track specification; it is 
published for informational purposes. 


This document is a product of the Internet Engineering Task Force 


(IETF). It represents the consensus of the IETF community. It has 
received public review and has been approved for publication by the 
Internet Engineering Steering Group (IESG). Not all documents 


approved by the IESG are a candidate for any level of Internet 
Standard; see Section 2 of RFC 5741. 


Information about the current status of this document, any errata, 


and how to provide feedback on it may be obtained at 
http://www.rfc-editor.org/info/rfc7255. 
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1. Introduction 


This specification defines how the Uniform Resource Name (URN) 
reserved for the Global System for Mobile Communications Association 
(GSMA) identities and its sub-namespace for the International Mobile 
station Equipment Identity (IMEI) as specified in RFC 7254 [1] can be 
used as an instance-id as specified in RFC 5626 [2] and also as used 
by RFC 5627 [3]. 


RFC 5626 [2] specifies the ’+sip.instance’ Contact header field 
parameter that contains a URN as specified in RFC 2141 [4]. The 
instance-id uniquely identifies a specific User Agent (UA) instance. 
This instance-id is used as specified in RFC 5626 [2] so that the 
Session Initiation Protocol (SIP) registrar (as specified in RFC 3261 
[9]) can recognize that the contacts from multiple registrations 
correspond to the same UA. The instance-id is also used as specified 
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by RFC 5627 [3] to create Globally Routable User Agent URIs (GRUUs) 
that can be used to uniquely address a UA when multiple UAS are 
registered with the same Address of Record (AOR). 


RFC 5626 [2] requires that a UA SHOULD create a Universally Unique 
Identifier (UUID) URN as specified in RFC 4122 [6] as its instance-id 
but allows for the possibility to use other URN schemes. Per 

RFC 5626, "If a URN scheme other than UUID is used, the UA MUST only 
use URNs for which an RFC (from the IETF stream) defines how the 
specific URN needs to be constructed and used in the "+sip.instance" 
Contact header field parameter for outbound behavior". This 
specification meets this requirement by specifying how the GSMA IMEI 
URN is used in the ’+sip.instance’ Contact header field parameter for 
outbound behavior, and RFC 7254 [1] specifies how the GSMA IMET URN 
is constructed. 


The GSMA IMEI is a URN for the IMEI -- a globally unique identifier 
that identifies mobile devices used in the GSM, Universal Mobile 
Telecommunications System (UMTS), and 3rd Generation Partnership 
Project (3GPP) Long Term Evolution (LTE) networks. The IMEI 
allocation is managed by the GSMA to ensure that the IMEI values are 
globally unique. Details of the formatting of the IMEI as a URN are 
specified in RFC 7254 [1], and the definition of the IMEI is 
contained in 3GPP TS 23.003 [10]. Further details about the GSMA’s 
role in allocating the IMEI, and the IMEI allocation guidelines, can 
be found in GSMA PRD TS.06 [11]. 


2. Terminology 


The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", “SHALL NOT", 
"SHOULD", “SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 
document are to be interpreted as described in RFC 2119 [7]. 


3. Background 


GSM, UMTS, and LTE capable mobile devices represent 90% of the mobile 
devices in use worldwide. Every manufactured GSM, UMTS, or LTE 
mobile device has an allocated IMEI that uniquely identifies this 
specific mobile device. Among other things, in some regulatory 
jurisdictions the IMEI is used to identify that a stolen mobile 
device is being used, to help to identify the subscription that is 
using it, and to prevent use of the mobile device. While GSM was 
originally a circuit switched system, enhancements such as the 
General Packet Radio Service (GPRS) and UMTS have added IP data 
capabilities that, along with the definition of the IP Multimedia 
Subsystem (IMS), have made SIP-based calls and IP multimedia sessions 
from mobile devices possible. 


Allen Informational [Page 3] 


RFC 7255 Using IMEI URN as an Instance ID May 2014 


The latest enhancement, known as LTE, introduces even higher data 
rates and dispenses with the circuit switched infrastructure 
completely. This means that with LTE networks, voice calls will need 
to be conducted using IP and IMS. However, the transition to all IP 
SIP-based IMS networks worldwide will take a great many years, and 
mobile devices, being mobile, will need to operate in both IP/SIP/IMS 
mode and circuit switched mode. This means that calls and sessions 
will need to be handed over between IP/SIP/IMS mode and circuit 
switched mode mid-call or mid-session. Also, since many existing GSM 
and UMTS radio access networks are unable to support IP/SIP/IMS-based 
voice services in a commercially acceptable manner, some sessions 
could have some media types delivered via IP/IMS simultaneously with 
voice media delivered via the circuit switched domain to the same 
mobile device. To achieve this, the mobile device needs to be 
simultaneously attached via both the IP/SIP/IMS domain and the 
circuit switched domain. 


To meet this need, the 3GPP has specified how to maintain session 
continuity between the IP/SIP/IMS domain and the circuit switched 
domain in 3GPP TS 24.237 [12], and in 3GPP TS 24.292 [13] has 
specified how to access IMS hosted services via both the IP/SIP/IMS 
domain and the circuit switched domain. 


In order for the mobile device to access SIP/IMS services via the 
circuit switched domain, the 3GPP has specified a Mobile Switching 
Center (MSC) server enhanced for IMS Centralized Services (ICS) anda 
MSC server enhanced for Single Radio Voice Call Continuity (SR-VCC) 
that control mobile voice call setup over the circuit switched radio 
access while establishing the corresponding voice session in the core 
network using SIP/IMS. To enable this, the MSC server enhanced for 
ICS or the MSC server enhanced for SR-VCC performs SIP registration 
on behalf of the mobile device, which is also simultaneously directly 
registered with the IP/SIP/IMS domain. The only mobile device 
identifier that is transportable using GSM/UMTS/LTE signaling is the 
IMEI; therefore, the instance-id included by the MSC server enhanced 
for ICS or the MSC server enhanced for SR-VCC when acting on behalf 
of the mobile device, and the instance-id directly included by the 
mobile device, both need to be based on the IMEI. 


Additionally, in order to meet the above requirements, the same IMEI 
that is obtained from the circuit switched signaling by the MSC 
server needs to be obtainable from SIP signaling so that it can be 
determined that both the SIP signaling and circuit switched signaling 
originate from the same mobile device. 


For these reasons, 3GPP TS 24.237 [12] and 3GPP TS 24.292 [13] 


already specify the use of the URN namespace for the GSMA IMEI URN as 
specified in RFC 7254 [1] as the instance-id used by GSM/UMTS/LTE 
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4. 


mobile devices, the MSC server enhanced for SR-VCC, and the MSC 
server enhanced for ICS, for SIP/IMS registrations and emergency- 
related SIP requests. 


3GPP Use Cases 


1. The mobile device includes its IMEI in the SIP REGISTER request 
so that the SIP registrar can perform a check of the Equipment 
Identity Register (EIR) to verify whether this mobile device is 
allowed to access the network for non-emergency services or is 
barred from doing so (e.g., because the device has been stolen). 
If the mobile device is not allowed to access the network for 
non-emergency services, the SIP registrar can reject the 
registration and thus prevent a barred mobile device from 
accessing the network for non-emergency services. 


2. The mobile device includes its IMEI in SIP INVITE requests used 
to establish emergency sessions. This is so that the Public 
Safety Answering Point (PSAP) can obtain the IMEI of the mobile 
device for identification purposes if required by regulations. 


3. The IMEI that is included in SIP INVITE requests by the mobile 
device and used to establish emergency sessions is also used in 
cases of unauthenticated emergency sessions to enable the network 
to identify the mobile device. This is especially important if 
the unauthenticated emergency session is handed over from the 
packet switched domain to the circuit switched domain. In this 
scenario, the IMEI is the only identifier that is common to both 
domains, so the Emergency Access Transfer Function (EATF) in the 
network, which in such cases coordinates the transfer between 
domains, can use the IMEI to determine that the circuit switched 
call is from the same mobile device that was in the emergency 
session in the packet switched domain. 


User Agent Client Procedures 


A User Agent Client (UAC) that has an IMEI as specified in 3GPP TS 
23.003 [10] and that is registering with a 3GPP IMS network MUST 
include in the "sip.instance" media feature tag the GSMA IMEI URN 
according to the syntax specified in RFC 7254 [1] when performing the 
registration procedures specified in RFC 5626 [2] or RFC 5627 [3], or 
any other procedure requiring the inclusion of the "sip.instance" 
media feature tag. The UAC SHOULD NOT include the optional ’svn’ 
parameter in the GSMA IMEI URN in the "sip.instance" media feature 
tag, since the software version can change as a result of upgrades to 
the device firmware that would create a new instance-id. Any future 
non-zero values of the ’vers’ parameter, or the future definition of 
additional parameters for the GSMA IMEI URN that are intended to be 
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used as part of an instance-id, will require that an update be made 
to this RFC. The UAC MUST provide character-by-character identical 
URNs in each registration according to RFC 5626 [2]. Hence, any 
optional or variable components of the URN (e.g., the ’vers’ 
parameter) MUST be presented with the same values and in the same 
order in every registration as in the first registration. 


A UAC MUST NOT use the GSMA IMEI URN as an instance-id, except when 
registering with a 3GPP IMS network. When a UAC is operating in IMS 
mode, it will obtain from the Universal Integrated Circuit Card 
(UICC) (commonly known as the SIM card) the domain of the network 
with which to register. This is a carrier’s IMS network domain. The 
UAC will also obtain the address of the IMS edge proxy to send the 
REGISTER request containing the IMEI using information elements in 
the Attach response when it attempts to connect to the carrier’s 
packet data network. When registering with a non-3GPP IMS network, a 
UAC SHOULD use a UUID as an instance-id as specified in RFC 5626 [2]. 


A UAC MUST NOT include the "sip.instance" media feature tag 
containing the GSMA IMEI URN in the Contact header field of non- 
REGISTER requests, except when the request is related to an emergency 
session. Regulatory requirements can require that the IMEI be 
provided to the PSAP. Any future exceptions to this prohibition will 
require the publication of an RFC that addresses how privacy is not 
violated by such usage. 


6. User Agent Server Procedures 


A User Agent Server (UAS) MUST NOT include its "sip.instance" media 
feature tag containing the GSMA IMEI URN in the Contact header field 
of responses, except when the response is related to an emergency 
session. Regulatory requirements can require that the IMEI be 
provided to the PSAP. Any future exceptions to this prohibition will 
require the publication of an RFC that addresses how privacy is not 
violated by such usage. 


7. 3GPP SIP Registrar Procedures 


In 3GPP IMS, when the SIP registrar receives in the Contact header 
field a "Sip.instance" media feature tag containing the GSMA IMEI URN 
according to the syntax specified in RFC 7254 [1] the SIP registrar 
follows the procedures specified in RFC 5626 [2]. The IMEI URN MAY 
be validated as described in RFC 7254 [1]. If the UA indicates that 
it supports the extension in RFC 5627 [3] and the SIP registrar 
allocates a public GRUU according to the procedures specified in 

RFC 5627 [3], the instance-id MUST be obfuscated when creating the 
‘gr’ parameter in order not to reveal the IMEI to other UAs when the 
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public GRUU is included in non-REGISTER requests and responses. 3GPP 
TS 24.229 [8] subclause 5.4.7A.2 specifies the mechanism for 
obfuscating the IMEI when creating the ‘gr’ parameter. 


8. Security Considerations 


Because IMEIs, like other formats of instance-ids, can be correlated 
to a user, they are personally identifiable information and therefore 
MUST be treated in the same way as any other personally identifiable 
information. In particular, the "sSip.instance" media feature tag 
containing the GSMA IMEI URN MUST NOT be included in requests or 
responses intended to convey any level of anonymity, as this could 
violate the user’s privacy. RFC 5626 [2] states that "One case where 
a UA could prefer to omit the "Sip.instance" media feature tag is 
when it is making an anonymous request or some other privacy concern 
requires that the UA not reveal its identity". The same concerns 
apply when using the GSMA IMEI URN as an instance-id. Publication of 
the GSMA IMEI URN to networks to which the UA is not attached, or 
with which the UA does not have a service relationship, is a security 
breach, and the "Sip.instance" media feature tag MUST NOT be 
forwarded by the service provider’s network elements when forwarding 
requests or responses towards the destination UA. Additionally, an 
instance-id containing the GSMA IMEI URN identifies a mobile device 
and not a user. The instance-id containing the GSMA IMEI URN MUST 
NOT be used alone as an address for a user or as an identification 
credential for a user. The GRUU mechanism specified in RFC 5627 [3] 
provides a means to create URIs that address the user at a specific 
device or User Agent. 


Entities that log the instance-id need to protect them as personally 
identifiable information. Regulatory requirements can require that 
carriers log SIP IMEIs. 


In order to protect the "Sip.instance" media feature tag containing 
the GSMA IMEI URN from being tampered with, those REGISTER requests 
containing the GSMA IMEI URN MUST be sent using a security mechanism 
such as Transport Layer Security (TLS) (RFC 5246 [5]) or another 
security mechanism that provides equivalent levels of protection such 
as hop-by-hop security based upon IPsec. 
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